UnBound <-> Dnscrypt-Proxy Problem

Peter_APIIT · 09-02-2015, 03:34 AM

Hello to all,

I tried to set up dns encryption with unbound forward to dnscrypt-proxy but the dns lookup fails and I had no idea how to diagnose/troubleshoot it. Therefore, I'm hope someone will provide some guidance on where to look for.

Below is my unbound configuration:

Quote:

server:
interface: 127.0.0.1
interface: 172.16.1.1
do-ip6: no
prefetch: yes
prefetch-key: yes
#verbosity: 4
log-time-ascii: yes
statistics-interval: 3600

access-control: 0.0.0.0/0 deny
access-control: 127.0.0.0/8 allow
access-control: 172.16.1.0/24 allow
access-control: ::0/0 refuse
#access-control: ::1 allow

do-not-query-localhost: no

num-threads: 2
msg-cache-size: 8mb
rrset-cache-size: 16mb

msg-cache-slabs: 8mb
rrset-cache-slabs: 8mb
infra-cache-slabs: 8mb
key-cache-slabs: 8mb

hide-identity: yes
# Uncomment to enable DNSSEC validation.
#
#auto-trust-anchor-file: "/var/unbound/db/root.key"

# Serve zones authoritatively from Unbound to resolver clients.
# Not for external service.
#
#local-zone: "local." static
#local-data: "mycomputer.local. IN A 192.0.2.51"
#local-zone: "2.0.192.in-addr.arpa." static
#local-data-ptr: "192.0.2.51 mycomputer.local"

# UDP EDNS reassembly buffer advertised to peers. Default 4096.
# May need lowering on broken networks with fragmentation/MTU issues,
# particularly if validating DNSSEC.
#
#edns-buffer-size: 1480

# Use TCP for "forward-zone" requests. Useful if you are making
# DNS requests over an SSH port forwarding.
#
#tcp-upstream: yes

# Use an upstream forwarder (recursive resolver) for specific zones.
# Example addresses given below are public resolvers valid as of 2014/03.
#

forward-zone:
name: "." # use for ALL queries
# forward-addr: 74.82.42.42 # he.net
# forward-addr: 2001:470:20::2 # he.net v6
# forward-addr: 8.8.8.8 # google.com
# forward-addr: 2001:4860:4860::8888 # google.com v6

forward-addr:127.0.0.1@443
#forward-addr: 208.67.222.222 # opendns.com
#forward-addr: 208.67.220.220
# forward-first: yes # try direct if forwarder fails

Starting Dnscrypt-Proxy

Quote:

echo -n "Starting dnscrypt-proxy\n"
/usr/local/sbin/dnscrypt-proxy -d -a 127.0.0.1:443 -R "cloudns-syd" -m 7 -n 350 -u "_dnscrypt-proxy"

Both processes are running fine without any errors. Any tools or command i can used to troubleshoot or diagnose.

Please help. Thanks.

cynwulf · 09-02-2015, 09:26 AM

Quote:

Originally Posted by Peter_APIIT

Code:

# forward-addr: 2001:4860:4860::8888 # google.com v6

forward-addr:127.0.0.1@443
#forward-addr: 208.67.222.222 # opendns.com

The '@' does not look syntactically correct? Have you checked this? (Aside form that no idea as I've little experience with this.)

persistent_ignoramus · 09-06-2015, 05:45 PM

Quote:

Originally Posted by Peter_APIIT

Hello to all,
...

Please help. Thanks.

Hello Peter,

A quick look shows that you didn't

1) show us which OS and version you are running (dmesg)
2) show us which version of unbound you are running

I assume you are on OpenBSD, but still BSD-netiquette requires that you say which version (is it -current, or 5.7, or something else). This is a general tip for *BSD-world.

Moreover,
3) DNSSEC section of your config is commented, meaning it's not enabled. To enable it, you need to create the key first (don't follow the tutorial from calomel it's inaccurate and misleading, read man unbound). There is no encryption without the key, AFAIK. If I understood your question correctly (encrypting DNS) this should be the proper answer, since I am not aware there is encription of DNS outside of DNSSEC (but I might be wrong).

cynwulf · 09-08-2015, 04:10 AM

5 days ago Peter_APIIT was still running the -release kernel for 5.7-release: http://daemonforums.org/showthread.p...6313#post56313

@Peter, have you installed any of the 5.7-release errata patches yet? http://www.openbsd.org/errata57.html

Code:

$ sysctl kern.version